Technical Article

Protecting Control Networks with Safety Instrumented Systems (SIS)

June 29, 2020 by David Peterson

Safety is of utmost importance in the day-to-day operations of any system, especially a system where humans and machines work together. Learn all about Safety Instrumented Systems and what it takes to keep workers safe, and the system running smoothly!

Manufacturing is never properly seen without the implementation of safety methods close by. For as long as manufacturing has existed, simple and complex strategies have been adopted to minimize hazards to workers, resulting in fewer deaths and injuries, as well as better working conditions for employees as the years go by.

Hydraulic systems, like this one used for metal cutting, require an SIS in place to protect both personnel and product.
Figure 1. Hydraulic systems, like this one used for metal cutting, require an SIS in place to protect both personnel and product.


Many industrial processes involve systems that are potentially very dangerous. Fluid pressures, extreme temperatures, and dangerous chemicals can turn an otherwise safe environment deadly with just a single failure. For processes like these, specific devoted safety instrumented systems (SIS) operate to contain failures and bring operations to a safe level, or even halt them entirely, as needed.


What is a Safety Instrumented System?

A safety instrumented system (SIS) is a specific type of control network which exists in facilities where at least a portion of the process could result in a dangerous situation in the case of a failure. Usually, these processes consist of high pressures, temperatures, or chemicals that must be contained and monitored continually. Examples of such systems may include:

  • Steam boilers like those in a power plant
  • High temperatures for ceramic and glass manufacturing
  • High-pressure hydraulic systems


Industrial steam boilers are one example of a manufacturing system that requires SIS. 

Figure 2. Industrial steam boilers are one example of a manufacturing system that requires SIS. 


Of course, every process and machine must already have safety guards and methods established. Therefore, the equipment and regulations surrounding these SIS is specified to those systems where the hazard is more likely to be widespread with worse effects to people nearby.

The advent of programmable control systems resulted in an upgrade to safety systems. Smarter sensors, actuators, and logic programs respond to hazards faster than any human operator to return a system to a safe operating level.

Since every industry and facility is different, the definition of what is considered ‘worse effects’ cannot be strictly defined by regulations. The guidelines define the methods by which hazards are analyzed and mitigated, and the SIS can then be evaluated by how much it will decrease the hazards after implementation.


SIS Purposes and Key Components

The actual components of the SIS might look quite similar to the normal control system. However, the SIS must be a separate system entirely, running alongside the existing control system. 

The objective of the SIS is different than the control system. As the name implies, the control system is responsible for controlling the normal operation of the facility. Any machines, processes, and parameters are all carefully monitored and controlled. Usually, sensors will feed information to a PLC which will then control valves, actuators, and motor drives to keep the system running at an optimized pace.

In contrast, the SIS has one single purpose - to return the facility to safety if any part of the process exceeds some sort of dangerous limits. Temps or pressures too high, liquid levels too high or low, even heavy vibrations or harmonics must all be halted, but in a controlled fashion.

The components of the SIS may be exactly the same - sensors, gauges, valves, and actuators all sending and receiving information from a central processing PLC. The SIS may include just one or two smart components, or an entire control system, whatever the established needs require.


Identifying and Assessing Risk With SIS

Careful detailing of the hazards must be done both before the design of the SIS, as well as after the design has been completed. First, the system must be proven to pose a great enough risk to warrant the implementation of the safety system. After implementation, it must be able to accomplish a significant reduction in that risk in order to accomplish its task.

The analysis process is similar to risk management studies that are performed in many other fields. In many ways, this is a blend between imagining worst-case scenarios and impacts, and statistical calculations of failure probabilities. This is why it is particularly difficult to simply reference or calculate a simple solution.

Risk management analysis uses a matrix format to compare the likelihood of a component or system failure, and if that were to happen, how bad would it be? Usually, each critical component is graded by this system, allowing a more objective overall risk calculation. 

If a failure event is unlikely to occur, and wouldn’t really be significant anyway, then it’s certainly not a high-risk failure. If it’s unlikely, but a failure would be catastrophic (such as a Chernobyl or Fukushima level event), then the risk would certainly increase. If a failure is both very likely AND would be catastrophic, the risk analysis may lead to conclusions such as discontinuing operations if a safety system may not sufficiently reduce the risk.


Standards for SIS and Determining Safety Integrity Levels

Even the SIS itself is subject to its own risk analysis. The safety system must be as immune to failure as possible to be considered successful. 

For specific guidance as to the design of this risk analysis, the standard used is IEC-61511, or the very similar document ISA 84.00.01. 

This document not only provides requirements for the system hardware and software, but also the requirement for determining safety integrity levels (SIL). Each device has a reliability, or a chance that the device might fail. A higher likelihood of failure is not as desirable for a safety system, obviously. 

To achieve a certain level of safety, each device must meet or exceed a certain SIL. The entire safety instrument system must be able to meet or exceed a level of safety integrity, so each part of the system must be carefully analyzed.